A new version of sophisticated Android spyware Mandrake The vulnerability was discovered in five applications that were available for download from the Google Play Store and had gone undetected for two years.
In total, Kaspersky said the app had been installed more than 32,000 times before it was removed from app stores, with the majority of downloads coming from Canada, Germany, Italy, Mexico, Spain, Peru and the UK.
“The new samples included new levels of obfuscation and evasion techniques, such as moving malicious functionality into obfuscated native libraries, using certificate pinning for C2 communications, and performing various tests to check if Mandrake is running on a rooted device or in an emulated environment,” researchers Tatyana Shishkova and Igor Golovin said.
Mandrake was first documented in May 2020 by Romanian cybersecurity vendor Bitdefender, describing a deliberate approach to infecting small numbers of devices while lurking in the shadows since 2016.
The updated variant features the use of OLLVM to hide its core functionality, and also incorporates a set of sandbox evasion and anti-analysis techniques to prevent the code from being executed in environments operated by malware analysts.
The list of apps that include Mandrake is below –
- AirFS (com.airft.ftrnsfr)
- Amber (com.shrp.sght)
- Astro Explorer (com.astro.dscvr)
- Brain Matrix (com.brnmth.mtrx)
- CryptoPulsing (com.cryptopulsing.browser)
The app is packed in three stages: a dropper that downloads the malware from a command and control (C2) server, decrypts it, and then launches a loader that runs the malware’s core components.
The second stage payload can also gather information about the device’s connectivity state, installed applications, battery level, external IP address, current Google Play version, and can also erase core modules and request permission to draw an overlay and run in the background.
The third stage supports additional commands to load specific URLs in a WebView to initiate a remote screen sharing session, as well as recording the device screen with the aim of stealing the victim’s credentials and dropping more malware.
“Android 13 introduced the ‘Restrictions Settings’ feature, which prohibits sideloaded applications from directly requesting dangerous permissions,” the researchers said. “To circumvent this feature, Mandrake handles the installation with a ‘session-based’ package installer.”
The Russian security firm cited Mandrake as an example of a dynamically evolving threat that is constantly improving its techniques to evade defenses and avoid detection.
“This highlights the formidable skills of threat actors and the increased moderation of applications before they are released to the market allows more sophisticated and hard-to-detect threats to sneak into the official app market,” the report said.
When reached for comment, Google told Hacker News that it continually strengthens Google Play Protect’s defenses as new malicious apps are reported, enhancing the feature with additional real-time threat detection to combat obfuscation and anti-evasion techniques.
“Android users are automatically protected from known versions of this malware by Google Play Protect, which is turned on by default on Android devices with Google Play services,” a Google spokesperson said. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when they come from sources outside of Play.”
